Great job on that paper Chris. Explains it in a very readable manner that a user could understand and still comprehensive enough for an experience security pro to get something out of it.

About the only criticism that I could think of is more of just opinion than a problem with the paper. NTLM tables are becoming easily available for anyone that really wants them and I'm somewhat paranoid so I take the stance that passwords just aren't a secure way to authenticate. Two part authentication is really the only way to protect yourself. You address this by stating all but the most determined attacker but I think the addition of two part authentication to the mitigation portion would complete this fine work.

Let me know if you'd be intersted in having us post some of your articles, especially any new ones. We're always looking for good content, and this seems to fit the bill. Keep us posted on a revision to this article. Maybe v2 will have a home at EH-Net?

No problem. It actually spurred some more research for me actually which is very timely being I'm rolling out EFS. The biggest weakness being authentication.

It seems after spending hours and hours reading and testing that NTLMv2 passwords over 14 characters seem pretty strong even with a minimum of complexity. I've read it before but never really taken the time to try and crack something that long. Beyond my technical ability for sure but that may only be for a short time. Still going to stick with two factor though. I think if you get into passwords that long you are almost forcing your users to put it on a sticky note. Of course they'll probably just leave their smartcards in their laptops all the time anyway.

I think I'm going to try to go to dual purpose cards. We use prox cards for physical access control. If I make them dual purpose then they have to take them out to go anywhere in the building. Hopefully that will help them get used to the idea of removing them when not in use. LOL@myself. Wishful thinking I'm sure.